SUSE CVE-2026-29183

SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoi...

PT-2026-2379

Name of the Vulnerable Software and Affected Versions Wondershare MobileTrans version 3.5.9 Description The software contains an unquoted service path vulnerability within the ElevationService. This allows local users to potentially execute code with elevated system privileges. Exploitation...

CVE-2025-68979

Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through = 3.5.9...

CVE-2025-68979

Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through = 3.5.9...

PT-2025-53869

Name of the Vulnerable Software and Affected Versions SimpleCalendar versions through 3.5.9 Description An authorization bypass exists due to user-controlled key vulnerability in Google Calendar Events. This allows exploitation of incorrectly configured access control security levels...

WordPress Google Calendar Events plugin <= 3.5.9 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Doan Dinh Van in WordPress Plugin Google Calendar Events versions = 3.5.9...

CVE-2025-11171

The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter,...

CVE-2025-11171

The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter,...

EUVD-2024-43369

Malicious code in bioql PyPI...

CVE-2023-5448

The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.9. This is due to missing or incorrect nonce validation on the updatepasswordvalidate function. This makes it possible for unauthenticated attackers to res...

CVE-2024-31097

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Stephan Spencer SEO Title Tag allows Reflected XSS.This issue affects SEO Title Tag: from n/a through 3.5.9...

CVE-2024-49306

Cross-Site Request Forgery CSRF vulnerability in WP-buy WP Content Copy Protection & No Right Click allows Cross Site Request Forgery.This issue affects WP Content Copy Protection & No Right Click: from n/a through 3.5.9...

WordPress WP Content Copy Protection & No Right Click plugin <= 3.5.9 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin WP Content Copy Protection & No Right Click versions = 3.5.9...

GHSA-5M3J-PXH7-455P Apache CXF: SSRF vulnerability via WADL stylesheet parameter

A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured...

CVE-2024-28216

nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery...

WordPress WP Register Profile With Shortcode Plugin <= 3.5.9 is vulnerable to Cross Site Request Forgery (CSRF)

Software WP Register Profile With Shortcode Type Plugin Vulnerable versions = 3.5.9 Fixed in 3.6.0 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-5448 Patch priority Low CVSS severity Low 8.8 Developer Claim ownership PSID 4d4b8ee6f41a Credits...

PT-2023-7361 · Mastodon · Mastodon

Name of the Vulnerable Software and Affected Versions: Mastodon versions prior to 3.5.9 Mastodon versions prior to 4.0.5 Mastodon versions prior to 4.1.3 Description: The issue is related to Mastodon's handling of outgoing HTTP queries, where a timeout is set on individual read operations. A...

etcd < 3.4.26, 3.5.x < 3.5.9 Information Disclosure Vulnerability (GHSA-3p4g-rcw5-8298)

etcd is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:etcd:etcd"; if...

etcd Key name can be accessed via LeaseTimeToLive API

Impact LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth RBAC. Patches v3.4.26 and v3.5.9 are affected. Workarounds No. Reporter Yo...

CVE-2023-24001

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Yannick Lefebvre Modal Dialog plugin = 3.5.9 versions...